IT Security and
Privacy
Meyer
Eddie
Scott Wibbenmeyer
Chanchart Chanthanan
Zhijing Fang
ZongJun Zhu
1
IT Security
Information security is the process of protecting
information systems and data from unauthorized
access, use, disclosure, destruction, modification, or
disruption. Information security is concerned with the
confidentiality, integrity, and availability of data
regardless of the form the data may take: electronic,
print, or other forms.
2
http://en.wikipedia.org/wiki/It_security, viewed April 2nd, 2007
Overview







Why is it important?
Role of CSO
Costs of IT Security
Security Threats
Practices to mitigate threats
Case Study
Case Study
3
Why is IT Security Important?


“Security breaches are as common in today’s
business landscape as bad coffee and
briefcases.”
Computer systems are vulnerable to many
threats that can inflict various types of
damage resulting in significant losses. This
damage can range from errors harming
database integrity to fires destroying entire
computer centers.
An Introduction to Computer Security: The NIST Handbook, National Institute of Standards and Technology. U.S. Department of Commerce
Special Publication 800-12
http://www.cio.com/article/28648/Data_Breaches_Preparation_Damage_Control_and_a_Recent_History, April 2, 2008
4
Why is IT Security Important?
46% of
Respondents
said that their
organization
had
experienced a
security
incident in
2007
5
Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer
Security Institute. 2007.
Trends in
Information Security
Breaches
6
Trends in Information Security
Breaches
Security is increasing as a top
management concern.
Luftman, J., Kempaiah, R., and Nash, E., Key Issues for IT Executives 2005, MIS Quarterly Executive, Vol. 5, No. 2, June 2006,
7 pp
81-99
Trends in Information Security
Breaches
The
percentage
of
companies
with a written
security
policy has
increased
from 47% in
2004 to 62%
in 2006.
8
http://http://www.industrialcontroldesignline.com/showArticle.jhtml;jsessionid=XDVFQM3C2DBASQSNDLOSKH0CJUNN2JVN
?articleID=204200898&queryText=Written+Security+Policy/, viewed April 2, 2008
Trends in Information Security
Breaches
Figure 2. Security breaches are getting more serious.
Severity
Level of
Security
Breaches
0-10 Scale of Severity
http://http://www.industrialcontroldesignline.com/showArticle.jhtml;jsessionid=XDVFQM3C2DBASQSNDLOS
KH0CJUNN2JVN?articleID=204200898&queryText=Written+Security+Policy/, viewed April 2, 2008
9
Role of Chief
Security Officer
10
CSO

Chief Security Officer (CSO) is a corporation's top
executive who is responsible for security. The CSO
serves as the business leader responsible for the
development, implementation and management of
the organization’s corporate security vision, strategy
and programs. They direct staff in identifying,
developing, implementing and maintaining security
processes across the organization to reduce risks,
respond to incidents, and limit exposure to liability in
all areas of financial, physical, and personal risk;
establish appropriate standards and risk controls
associated with intellectual property; and direct the
establishment and implementation of policies and
procedures related to data security.
http://en.wikipedia.org/wiki/Chief_Security_Officer, view April 2, 2008
11
Background of CSO


Most CSOs have an IT Background (63%)
Others: (37%)





Corporate Security
Military
Law Enforcement
Business Operations
Audit
12
Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82.
Role of CSO

Oversee a network of security directors and
vendors who safeguard the companies
assets, intellectual property, and computer
systems, along with the physical safety of
employees and visitors
Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82.
http://images.google.com/imgres?imgurl=http://www.csointerchange.org/images/cso_interchange_logo.gif&imgrefurl=http:
//www.csointerchange.org/bios/bios-chicago-05/&h=93&w=303&sz=5&hl=en&start=19&um=1&tbnid=Zu6MFMM7sHYvM:&tbnh=36&tbnw=116&prev=/images%3Fq%3Dcso%2BSymantec%2BCorporation%2B%26um%3D1%26hl%3Den,
viewed April 10, 2008
13
Role of CSO (Cont’d)


Identify protection goals, objectives, and
metrics consistent with corporate strategic
plans
Manage the development and
implementation of global security policy,
standards, guidelines, and procedures to
ensure ongoing maintenance of security
Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82.
IT Security Costs
Between 1995 and 2000 company spending on IT security increased 188%
15
IT Security Costs
Average losses
in 2007 were
$345,000 per
respondent
16
Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer
Security Institute. 2007.
IT Security Costs
The figure above shows the total losses as reported by the 2005 CSI/FBI Annual Computer Crime and Security Survey.
17
http://www.acunetix.com/websitesecurity/web-hacking.htm, viewed March 27, 2008
IT Security Costs
Are Costs
equalizing?
18
Gordon, Lawrence, Martin Loeb, William Lucyshyn, and Robert Richardson. “Computer Crime and Security Survey”.
Computer Security Institute. 2007.
IT Security Costs
What is the SINGLE
greatest obstacle to
achieving adequate
infosecurity at your
organization?"
Information Security Magazine July 1999 - "Top Obstacle is Budget: What is the SINGLE greatest obstacle to achieving
adequate infosecurity at your organization?"
19
IT Security Threats
Organizational
(Individual)
20
Many types of threats exist.
Gordon, Lawrence, Martin Loeb, William Lucyshyn, and Robert Richardson. “Computer Crime and Security Survey”.
Computer Security Institute. 2006. PP 1-25.
21
21
Types of Attacks or Abuse
22
Gordon, Lawrence, Martin Loeb, William Lucyshyn, and Robert Richardson. “Computer Crime and Security Survey”. Computer Security
Institute. 2007. PP 1-25.
Who is Attacking?
23
http://www.esecurityplanet.com/, Viewed April 2, 2008
2 Types of threats that can affect
both Individual and
Organizational Security:
1.Natural Threats
- Weather, Deterioration,
Accidents, etc
2. Man Made Threats
- Hacker, Spam, Phishing, Identity
Theft, Terrorism
24
Natural Security Threats
Weather
Deterioration
-Do you have backup
data stored offsite?
- Do you have a plan?
Accidents
25
Man Made Security
Threats
Phishing
Identity Theft
Terrorism
What do you
have in place to
prevent these
things from
happening?
26
Man Made Security
Threats
Phishing
An attempt to criminally and fraudulently acquire
sensitive information, such as usernames,
passwords and credit card details, by masquerading
as a trustworthy entity in an electronic
communication.
27
http://en.wikipedia.org/wiki/Phishing, viewed April 2, 2008
Risk of Phishing


According to the Kaspersky Lab, 45% of the
online activity requires users to disclose
personal or financial data.
The top online activities listed by home PC
users that require the disclosure of personal
information were banking(20%),
shopping(15%), and travel booking(10%).
http://www.lexisnexis.com.ezproxy.umsl.edu, Inter Business News on Jan 9, 2007 View on Mar 3, 2008
28
Risk of Phishing



Presently, the risk of phishing is attacking
both business and personal transactions.
The main purpose of phishing is to steal
financial data.
There were around 14,156 fake websites in
2006, increase from 1,713 in 2005. (The Sun)
http://www.lexisnexis.com.ezproxy.umsl.edu, The Sun: Still @ IT on Oct 23, 2007 View on Mar 3, 2008
29
Risk of Phishing (Cont)


According to the Sun poll as of 2007, a third
of the internet users responded to the email
they did not know.
15% thought a website was secure if it
claimed to belong to a well know company
but were unable to distinguish a secure
website from the fake one.
http://www.lexisnexis.com.ezproxy.umsl.edu, The Sun: Still @ IT on Oct 23, 2007, Viewed on Mar 3, 2008
30
Most Targeted Industry Sectors in
December 2007
Financial service is the
most targeted industry
sector of all attacks
record at 91.7%.
http://www.antiphishing.org, Phishing Activity Trends Report for 2007 by Anti-Phishing Working Group (APWG) viewed March
4, 2008
Top 10 Phishing Sites Hosting Countries
The United States is the
1st rank phishing sites
hosting.
http://www.antiphishing.org, Phishing Activity Trends Report for 2007 by Anti-Phishing Working Group (APWG) viewed March 4,
2008
Example of the phishing


The real example happened to an UMSL
email several recently.
The UMSL email sever was attacked from the
phishing email which claimed that it came
from the Central Bank
33
Example of the phishing
(Con’t)
http://www.centralbank.net7idpersonalb
anking-secure-survey-id58274.28secure.net.jikao.com.tw/.https:/
/www.centralbank.net/
34
Some Tips to avoid risk of
phishing




Do not complete a form in an e-mail message
that ask you for personal information
Enter personal information only at the secure
website (https)
Avoid clicking the link in the e-mail message
Never type PIN or secret data via e-mail
35
Man Made Security
Threats
Identity Theft
Crimes involving illegal usage of another
individual's identity. The most common form
of identity theft is credit card fraud. While the
term is relatively new, the practice of stealing
money or getting other benefits by
pretending to be a different person is
thousands of years old.
36
http://en.wikipedia.org/wiki/Identity_Theft, Viewed April 2, 2008
Types/ Cost of Identity theft
Crimes involving illegal usage of another individual's
identity
Types:


Financial Identity Theft (using another's identity to obtain
goods and services)



Criminal Identity Theft (posing as another when
apprehended for a crime)
Identity Cloning (using another's information to assume his or
her identity in daily life)
Business/Commercial Identity Theft (using another's
business name to obtain credit)
37
“Identity Theft by Victims Age”. Identity Theft Data Clearinghouse. May 12 2006. PP 2-32.
38
Man Made Security
Threats
Terrorism
Those acts which are intended to create fear
(terror), are perpetrated for an ideological
goal and by a member or members of a
group (as opposed to being carried out in a
lone attack), and which deliberately target,
or else disregard the safety of, noncombatants (civilians).
39
http://en.wikipedia.org/wiki/Terrorism, Viewed 4/02/2008
Threat Assessment

You can look at threat assessment two ways:


Qualitative – an “educated best guess” based on
opinions of knowledgeable others gained through
interviews, history, tests, and personal experience
Quantitative – uses statistical sampling based on
mathematical computations determining the
probability of an occurrence based on historical
data
Kovacich, Gerald L., Information Systems Security Officer’s Guide: Butterworth Heinemann, 2003.
40
Security Audits
were 63% useful
in evaluating the
effectiveness of
security
technology
41
Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer
Security Institute. 2007.
Insurance Policies
42
Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security Survey”. Computer
Security Institute. 2007.
Practices to Mitigate Threats


Biometric Security
Intrusion Prevention System
43
Biometric Security


Use computerized method to identify a
person by their unique physical or behavioral
characteristics
Provide extremely accurate and secure
access to information
44
http://news.bbc.co.uk/2/shared/spl/hi/guides/456900/456993/html/default.stm, Biometric Technology. BBC News. March 4, 2008.
http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=10, Biometric Technology Overview. March 4, 2008.
Example of Biometric

Fingerprint Identification – the process of
automatically matching one or unknown
fingerprint against a database of know and
unknown pattern

Iris Scan - provide an analysis of the rings,
furrows, and freckles in the colored ring
which surrounds the pupil of the eye
http://news.bbc.co.uk/2/shared/spl/hi/guides/456900/456993/html/default.stm
http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=10
http://en.wikipedia.org/wiki/Biometric
45
Intrusion Prevention System


Next Generation Firewall
It is a computer security device that monitors
network and system activities for malicious or
unwanted behavior and can react in real-time
46
http://en.wikipedia.org/wiki/Intrusion_Prevention_System
Washington Mutual Phishing Case
47
Washington Mutual Overview

Founded in 1889

Retailer of financial services




Mortgage Lending
Commercial Banking
Other Financial Services
CIO - Debora D. Horvath

Prior to joining WaMu, she served as senior vice president and CIO for
Richmond, Virginia-based GE Insurance. There, she led a global information
technology organization with a $500 million budget.

Assets of 333.62 billion

More than 2,400 Retail Banking
http://www.wamu.com/business/default.asp, viewed April 11th, 2008
Source:http://www.rsa.com/press_release.aspx?id=6801, viewed April 10, 2008
48
Phishing trip: Washington Mutual
http://www.infectionvectors.com/library/phishing_trip_wamu-iv.pdf,, viewed April 10, 2008
49
Current Practice of Online Banking
Security

Washington Mutual further protects its online
users with multi-factor authentication solution
http://www.wamu.com/business/default.asp
50
RSA Cyota Consumer Solutions



RSA Cyota Consumer Solutions, a division of RSA Security Inc.,
offers proven solutions for online banking and e-commerce that
range from adaptive
Authentication – with risk-based technology, one-timepasswords and transaction-signing – to anti-Phishing services
and real-time transaction monitoring that controls fraud and
manages risk.
The company’s eFraudNetwork™ community is the world’s most
effective cross-bank collaborative online fraud network. Today,
many of the world’s top 50 banks, including nine of the top 12
banks in North America and the UK, use RSA Cyota solutions to
protect approximately 430 million consumers.
http://www.baselinemag.com/c/a/Projects-Security/Security-Case-Washington-Mutual-Gets-a-Line-on-Phishing/
51
Authentication


"Washington Mutual is once again taking a proactive approach to
protecting our customers by securing their accounts and personal
information with superior, flexible, cutting-edge technology. By doing
so, Washington Mutual customers will continue to benefit from the
convenience and ease of online banking with the utmost confidence,"
said Dave Cullinane, chief information security officer at Washington
Mutual and International President of the Information Systems Security
Association.
Washington Mutual’s enhanced security will analyze every online login
and transaction behind the scenes and score the potential risk based
on a broad range of criteria, including the user’s IP address, geographic
location, prior transaction behaviors and much more. When a potential
risky situation is detected, it can invoke additional authentication
methods in real-time. In addition, because online fraud crosses
international boundaries, WaMu is further protecting its customers by
joining a real-time world-wide fraud detection network.
http://www.baselinemag.com/c/a/Projects-Security/Security-Case-Washington-Mutual-Gets-a-Line-on-Phishing/
52
Case Study:
What is Ameren?
53
Company Overview

Provide energy to approximately
2.4 million electric customers and
nearly 1 million gas customers in
IL and MO.

Ameren created via mergers.






Union Electric (UE)
Central IL Public Service Co.
(CIPSCO)
Central IL Light Co. (CILCO)
Illinois Power (IP)
Headquarters in St. Louis, MO
9,000 employees
http://www.ameren.com/AboutUs/ADC_AU_FactSheet.pdf, viewed March 28, 2008
54
Ameren Organizational Chart
CEO Ameren
Other CEO’s
CEO Ameren Services
Other VP’s
Sr. VP Admin
VP Info Technology
Manager IT Security and Planning
Other Directors and Managers
Managing Supv IT Security & Plan
Supv IT Financial Planning
Supv IT Infrastructure
Account Consultants
IT Security Analyst, Architects, Engineers
http://scholar/orgchart/ChartApp.aspx?defaultredirect=true&action=viewinorgchart&key=19721, March 20, 2008
55
Security IT Background

530 IT employees
 5 Full time employees for information security.

IT security budget is 1% of annual IT Budget
 600K O&M


400K Capital
1 manager type, 6 supervisors, 3 account consultants
30 technical architects, engineers, analyst.
Linda Nappier, Manager IT Security – Planning, Interview with Scott Wibbenmeyer, April 10, 2008
http://scholar/orgchart/ChartApp.aspx?defaultredirect=true&action=viewinorgchart&key=19721,
March 20, 2008
56
56
Linda Nappier, Manager IT Security – Planning, Interview with Scott Wibbenmeyer, April 10, 2008
57
57
Top Security Risk
1.
2.
3.
4.
5.
Data loss (Customer and Corporate) – Image
Viruses
External Attacks (firewall attacks)
Internal Attacks (email virus, spam, bots)
Phishing – Social Engineering
Mark Habrock and Edmond Rogers, Security Analyst, Interviewed in person by Scott J. Wibbenmeyer,
April 8, 2008
58
IT Security
Technologies

Access Control Systems

Physical Security
 Enterprise Security Management System


Card readers limiting access to hardware rooms and security
personnel.
Data Security Access Policy
 Network Access Control Software
 Limiting access to software and networks on an as needed
bases.
 Disabling Blue tooth capabilities on Ameren equipment (i.e. cell
phones)
Mark Habrock and Edmond Rogers, Security Analyst, Interviewed in person by Scott J. Wibbenmeyer,
April 8, 2008
59
59
IT Security
Technologies

Firewalls





Intrusion Detection System (IDS)
Over 1 million attacks against firewall a year
24 hr personnel monitoring of Firewall
6000 firewall rules
Monitors IP address of attack
Mark Habrock and Edmond Rogers, Security Analyst, Interviewed in person by Scott J. Wibbenmeyer,
April 8, 2008
60
60
IT Security
Technologies

Two Factor Authentication – Tokens & Passwords


Anti-Virus Software


RSA SecurID Token
Symantec
 Email is evaluated by Symantec off-site
Network Pattern Software

Monitors usage patterns of network
Mark Habrock and Edmond Rogers, Security Analyst, Interviewed in person by Scott J. Wibbenmeyer,
April 8, 2008
61
61
IT Security
Technologies

Anti-Spam Software




Frontbridge – relay service
Personnel updating trigger points.
Over 4.3 million spam emails blocked a day
Policies






Remote Access
Internet Usage - Websense
Equipment Procurement
Communication Policy
Disaster Recovery Policy
Audit Policy
Mark Habrock and Edmond Rogers, Security Analyst, Interviewed in person by Scott J. Wibbenmeyer,
April 8, 2008
62
62
Walk Away Today Safer - Quick Summary







Protect your personal information. It's valuable.
Don’t cut Security to save money.
Use antivirus and personal firewall software and update both
regularly.
Be sure to set up your operating system, Network and Web
browser software properly, and update them regularly.
Protect your passwords.
Back up important files.
Learn who to contact if something goes wrong online.
63
?? Questions ??
References
















http://en.wikipedia.org/wiki/It_security, viewed April 2nd, 2007
An Introduction to Computer Security: The NIST Handbook, National Institute of Standards and Technology.
U.S. Department of Commerce
Special Publication 800-12
http://www.cio.com/article/28648/Data_Breaches_Preparation_Damage_Control_and_a_Recent_History, April
2, 2008
Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security
Survey”. Computer Security Institute. 2007.
Luftman, J., Kempaiah, R., and Nash, E., Key Issues for IT Executives 2005, MIS Quarterly Executive, Vol. 5,
No. 2, June 2006, pp 81-99
http://http://www.industrialcontroldesignline.com/showArticle.jhtml;jsessionid=XDVFQM3C2DBASQSNDLOSK
H0CJUNN2JVN?articleID=204200898&queryText=Written+Security+Policy/, viewed April 2, 2008
http://http://www.industrialcontroldesignline.com/showArticle.jhtml;jsessionid=XDVFQM3C2DBASQSNDLOSK
H0CJUNN2JVN?articleID=204200898&queryText=Written+Security+Policy/, viewed April 2, 2008
http://en.wikipedia.org/wiki/Chief_Security_Officer, view April 2, 2008
Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82.
http://images.google.com/imgres?imgurl=http://www.csointerchange.org/images/cso_interchange_logo.gif&img
refurl=http://www.csointerchange.org/bios/bios-chicago05/&h=93&w=303&sz=5&hl=en&start=19&um=1&tbnid=Zu6MFMM7sHYvM:&tbnh=36&tbnw=116&prev=/images%3Fq%3Dcso%2BSymantec%2BCorporation%2B%26um%3D1%26h
l%3Den, viewed April 10, 2008
Petersen, Rodney, The Role of the CSO, Educause, September/October, 2006, pp. 73-82.
http://www.acunetix.com/websitesecurity/web-hacking.htm, viewed March 27, 2008
Information Security Magazine July 1999 - "Top Obstacle is Budget: What is the SINGLE greatest obstacle to
achieving adequate infosecurity at your organization?"
Gordon, Lawrence, Martin Loeb, William Lucyshn, and Robert Richardson. “Computer Crime and Security
Survey”. Computer Security Institute. 2007. PP 1-25.
http://www.esecurityplanet.com/, Viewed April 2, 2008
http://en.wikipedia.org/wiki/Phishing, viewed April 2, 2008
65
References (Continued)

















http://www.lexisnexis.com.ezproxy.umsl.edu, Inter Business News on Jan 9, 2007 View on Mar 3, 2008
http://www.lexisnexis.com.ezproxy.umsl.edu, The Sun: Still @ IT on Oct 23, 2007 View on Mar 3, 2008
http://en.wikipedia.org/wiki/Identity_Theft, Viewed 4/02/2008
“Identity Theft by Victims Age”. Identity Theft Data Clearinghouse. May 12 2006. PP 2-32.
http://en.wikipedia.org/wiki/Terrorism, Viewed 4/02/2008
Kovacich, Gerald L., Information Systems Security Officer’s Guide: Butterworth Heinemann, 2003.
Gordon, Lawrence, Martin Loeb, William Lucyshyn, and Robert Richardson. “Computer Crime and Security
Survey”. Computer Security Institute. 2007.
http://news.bbc.co.uk/2/shared/spl/hi/guides/456900/456993/html/default.stm
http://en.wikipedia.org/wiki/Biometric, April 2, 2008
http://www.wamu.com/business/default.asp, viewed April 11th, 2008
:http://www.rsa.com/press_release.aspx?id=6801, viewed April 10, 2008
http://www.infectionvectors.com/library/phishing_trip_wamu-iv.pdf,, viewed April 10, 2008
http://www.baselinemag.com/c/a/Projects-Security/Security-Case-Washington-Mutual-Gets-a-Line-on-Phishing/
http://www.ameren.com/AboutUs/ADC_AU_FactSheet.pdf, viewed March 28, 2008
http://scholar/orgchart/ChartApp.aspx?defaultredirect=true&action=viewinorgchart&key=19721, March 20,
2008
Linda Nappier, Manager IT Security – Planning, Interview with Scott Wibbenmeyer, April 10, 2008
Mark Habrock and Edmond Rogers, Security Analyst, Interviewed in person by Scott J. Wibbenmeyer, April 8,
2008
66
References (Continued)


•
•
•
•
http://news.bbc.co.uk/2/shared/spl/hi/guides/456900/456993/html/default.stm, Biometric Technology. BBC News.
March 4, 2008.
http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=10, Biometric Technology Overview. March 4,
2008.
http://www.antiphishing.org, Phishing Activity Trends Report for 2007. Dec. 2007. Anti-Phishing Working Group
(APWG). March 4, 2008.
http://www.technovelgy.com/ct/Technology-Article.asp?ArtNum=10, Biometric Technology Overview. 4 March
2008.
http://en.wikipedia.org/wiki/Intrusion_Prevention_System, March 4 2008.
http://www.security-int.com/categories/intrusion-prevention-systems/intrusion-prevention-systems.asp, Intrusion
Prevention Systems on the Security Software Map. March 5, 2008.